Springboot + Spring Security + jwt-token實現權限認證

原創 KID5945 2020-02-25 01:04

 一、前言

本項目默認是用session認證用戶的,但是源於要開放某些接口給其他系統調用,故想在保留原先session認證的基礎上,對部分接口使用jwt-token認證。參考了網上的一些資料,針對自己項目實際情況實現如下。

二、解決思路

其實網上很多不是Spring Security做權限框架的,解決思路就是工具生成token,攔截器或過濾器驗證token有效性;還有一些是用了Spring Security權限框架,但是隻用token做權限認證,沒有使用session的,只需要按照這篇文章去自定義認證,然後用過濾器去驗證token。但是這裏面最重要的是理清楚Spring Security是這麼判斷用戶已經登錄的,使用token怎麼讓Spring Security去知道當前已登錄。這就要了解Spring Security的認證流程了。

三、疑惑

首先,我們都知道,用Spring Security獲取當前用戶認證的方法 SecurityContextHolder.getContext().getAuthentication(),這裏大家有沒有思考過,默認情況我們都是用session管理用戶登錄信息的,通過上面的方法是怎麼跟session聯繫起來的,我們看下SecurityContextHolder跟SpringContext實現類的源碼


public class SecurityContextHolder {
	// ~ Static fields/initializers
	// =====================================================================================

	public static final String MODE_THREADLOCAL = "MODE_THREADLOCAL";
	public static final String MODE_INHERITABLETHREADLOCAL = "MODE_INHERITABLETHREADLOCAL";
	public static final String MODE_GLOBAL = "MODE_GLOBAL";
	public static final String SYSTEM_PROPERTY = "spring.security.strategy";
	private static String strategyName = System.getProperty(SYSTEM_PROPERTY);
	private static SecurityContextHolderStrategy strategy;
	private static int initializeCount = 0;

	static {
		initialize();
	}

	// ~ Methods
	// ========================================================================================================

	/**
	 * Explicitly clears the context value from the current thread.
	 */
	public static void clearContext() {
		strategy.clearContext();
	}

	/**
	 * Obtain the current <code>SecurityContext</code>.
	 *
	 * @return the security context (never <code>null</code>)
	 */
	public static SecurityContext getContext() {
		return strategy.getContext();
	}

	/**
	 * Associates a new <code>SecurityContext</code> with the current thread of execution.
	 *
	 * @param context the new <code>SecurityContext</code> (may not be <code>null</code>)
	 */
	public static void setContext(SecurityContext context) {
		strategy.setContext(context);
	}

	
}


public class SecurityContextImpl implements SecurityContext {

	private static final long serialVersionUID = SpringSecurityCoreVersion.SERIAL_VERSION_UID;

	// ~ Instance fields
	// ================================================================================================

	private Authentication authentication;

	public SecurityContextImpl() {}

	public SecurityContextImpl(Authentication authentication) {
		this.authentication = authentication;
	}

	// ~ Methods
	// ========================================================================================================

	@Override
	public boolean equals(Object obj) {
		if (obj instanceof SecurityContextImpl) {
			SecurityContextImpl test = (SecurityContextImpl) obj;

			if ((this.getAuthentication() == null) && (test.getAuthentication() == null)) {
				return true;
			}

			if ((this.getAuthentication() != null) && (test.getAuthentication() != null)
					&& this.getAuthentication().equals(test.getAuthentication())) {
				return true;
			}
		}

		return false;
	}

	@Override
	public Authentication getAuthentication() {
		return authentication;
	}

	@Override
	public int hashCode() {
		if (this.authentication == null) {
			return -1;
		}
		else {
			return this.authentication.hashCode();
		}
	}

	@Override
	public void setAuthentication(Authentication authentication) {
		this.authentication = authentication;
	}

	@Override
	public String toString() {
		StringBuilder sb = new StringBuilder();
		sb.append(super.toString());

		if (this.authentication == null) {
			sb.append(": Null authentication");
		}
		else {
			sb.append(": Authentication: ").append(this.authentication);
		}

		return sb.toString();
	}
}

我們只看重點部分,SpringContext是通過 SecurityContextHolderStrategy 取出來的,而Authentication對象是它的一個屬性,這裏看起來也沒跟session有什麼關聯,看來重點應該在 SecurityContextHolderStrategy 裏了,我們找到了它的一個實現ThreadLocalSecurityContextHolderStrategy


final class ThreadLocalSecurityContextHolderStrategy implements
		SecurityContextHolderStrategy {
	// ~ Static fields/initializers
	// =====================================================================================

	private static final ThreadLocal<SecurityContext> contextHolder = new ThreadLocal<>();

	// ~ Methods
	// ========================================================================================================

	public void clearContext() {
		contextHolder.remove();
	}

	public SecurityContext getContext() {
		SecurityContext ctx = contextHolder.get();

		if (ctx == null) {
			ctx = createEmptyContext();
			contextHolder.set(ctx);
		}

		return ctx;
	}

	public void setContext(SecurityContext context) {
		Assert.notNull(context, "Only non-null SecurityContext instances are permitted");
		contextHolder.set(context);
	}

	public SecurityContext createEmptyContext() {
		return new SecurityContextImpl();
	}
}

看出來是從線程局部變量裏獲取的,但是是什麼時候放進去的呢?查找了Spring Security的資料後,找到了一個攔截SecurityContextPersistenceFilter

public class SecurityContextPersistenceFilter extends GenericFilterBean {

   static final String FILTER_APPLIED = "__spring_security_scpf_applied";
   //安全上下文存儲的倉庫
   private SecurityContextRepository repo;

   public SecurityContextPersistenceFilter() {
      //HttpSessionSecurityContextRepository是SecurityContextRepository接口的一個實現類
      //使用HttpSession來存儲SecurityContext
      this(new HttpSessionSecurityContextRepository());
   }

   public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
         throws IOException, ServletException {
      HttpServletRequest request = (HttpServletRequest) req;
      HttpServletResponse response = (HttpServletResponse) res;

      if (request.getAttribute(FILTER_APPLIED) != null) {
         // ensure that filter is only applied once per request
         chain.doFilter(request, response);
         return;
      }
      request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
      //包裝request,response
      HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request,
            response);
      //從Session中獲取安全上下文信息
      SecurityContext contextBeforeChainExecution = repo.loadContext(holder);
      try {
         //請求開始時,設置安全上下文信息,這樣就避免了用戶直接從Session中獲取安全上下文信息
         SecurityContextHolder.setContext(contextBeforeChainExecution);
         chain.doFilter(holder.getRequest(), holder.getResponse());
      }
      finally {
         //請求結束後,清空安全上下文信息
         SecurityContext contextAfterChainExecution = SecurityContextHolder
               .getContext();
         SecurityContextHolder.clearContext();
         repo.saveContext(contextAfterChainExecution, holder.getRequest(),
               holder.getResponse());
         request.removeAttribute(FILTER_APPLIED);
         if (debug) {
            logger.debug("SecurityContextHolder now cleared, as request processing completed");
         }
      }
   }

}

 每次請求過來都會先進入這個攔截器,然後通過HttpSessionSecurityContextRepository來獲取SpringContext上下文,而SpringContext則是放在session裏面的,結束的時候又將SpringContext放回session,此處終於找到關聯session的地方。

public class HttpSessionSecurityContextRepository implements SecurityContextRepository {
   // 'SPRING_SECURITY_CONTEXT'是安全上下文默認存儲在Session中的鍵值
   public static final String SPRING_SECURITY_CONTEXT_KEY = "SPRING_SECURITY_CONTEXT";
   ...
   private final Object contextObject = SecurityContextHolder.createEmptyContext();
   private boolean allowSessionCreation = true;
   private boolean disableUrlRewriting = false;
   private String springSecurityContextKey = SPRING_SECURITY_CONTEXT_KEY;

   private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();

   //從當前request中取出安全上下文,如果session爲空,則會返回一個新的安全上下文
   public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) {
      HttpServletRequest request = requestResponseHolder.getRequest();
      HttpServletResponse response = requestResponseHolder.getResponse();
      HttpSession httpSession = request.getSession(false);
      SecurityContext context = readSecurityContextFromSession(httpSession);
      if (context == null) {
         context = generateNewContext();
      }
      ...
      return context;
   }

   ...

   public boolean containsContext(HttpServletRequest request) {
      HttpSession session = request.getSession(false);
      if (session == null) {
         return false;
      }
      return session.getAttribute(springSecurityContextKey) != null;
   }

   private SecurityContext readSecurityContextFromSession(HttpSession httpSession) {
      if (httpSession == null) {
         return null;
      }
      ...
      // Session存在的情況下,嘗試獲取其中的SecurityContext
      Object contextFromSession = httpSession.getAttribute(springSecurityContextKey);
      if (contextFromSession == null) {
         return null;
      }
      ...
      return (SecurityContext) contextFromSession;
   }

   //初次請求時創建一個新的SecurityContext實例
   protected SecurityContext generateNewContext() {
      return SecurityContextHolder.createEmptyContext();
   }

}
wAAACH5BAEKAAAALAAAAAABAAEAAAICRAEAOw==

四、如何驗證是否登錄

FilterSecurityInterceptor此攔截器是用來判斷用戶是否登錄以及有哪些資源的權限的,這個攔截器最後會找到你配置的未登錄表單路徑,重定向到該路徑,這個我會單獨拿出來講一下。

 

 

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

編譯時和運行時的概念區分

什麼叫編譯時和運行時:https://blog.csdn.net/weiwenhp/article/details/8107203 編譯:類似翻譯,就是將源代碼翻譯成機器能識別的代碼。 運行:就是將代碼跑起來,被裝載到內存中去了。

一只有理想的程序猿 2020-07-08 03:16:12

java jar運行外部配置文件(.properties)

解決方法如下: 1.通常導入項目內的配置文件(.properties文件)是如下代碼:      Properties properties = new Properties();     // 使用ClassLoader加載proper

cookietian 2020-07-07 01:05:03

JAVA for循環寫法

首先定義一個數組 String[] a = new String["adb","cbd","23a","b3pd"]; 1.普通for循環寫法 for(int i=0;i<a.length;i++){ System.out.printl

雷建 2020-07-07 00:50:05

實例化子類的執行過程

public class People extends Animal { //子類無參構造   public People(){ System.out.println("您好"); } //子類有參構造

Sowhat胜 2020-07-06 15:48:13

java語言基礎之4種代碼塊以及構造函數比較大集合-java基礎精品筆記-作者:逝秋

class Demo { private static int day=0; private static int age=0; public Demo() { day=day+1; System.out.printl

Fuuqiu 2020-07-04 01:00:58

java語言基礎之構造函數深入以及構造函數和構造代碼塊比較-作者:逝秋

  class Demo { public Demo()//構造函數(方法) { int a=90; System.out.println("構造函數a="+a); } { //構造代碼塊 int a=80;//未創

Fuuqiu 2020-07-04 01:00:58

java語言倆個for嵌套打印圖形-作者:明月-整理:逝秋

class Demo { public static void main(String[] args) { for (int a=0;a<5;a++ ) { for (int b=5;b>0;b-- ) {

Fuuqiu 2020-07-04 01:00:58

java語言基礎之代碼塊詳解

(一)java 靜態代碼塊 靜態方法區別 一般情況下,如果有些代碼必須在項目啓動的時候就執行的時候,需要使用靜態代碼塊,這種代碼是主動執行的;需要在項目啓動的時候就初始化,在不創建對象的情況下,其他程序來調用的時候,需要使用靜態方法,這種

Fuuqiu 2020-07-04 01:00:58

java語言基礎數組選擇排序從小到大-作者:逝秋

class Text1 { //選擇排序:從小到大 public static void main(String[] args) { int[]arr=new int[]{12,9,56,45,10}; for (int

Fuuqiu 2020-07-04 01:00:58

java語言函數部分實列附加代碼截圖-作者:逝秋

class Demo { public static void main(String[] args) { int l=mini(8,3); prints(9,23); byte a=3;

Fuuqiu 2020-07-04 01:00:58

java語言打印一個4*12長方形-作者:逝秋

class Demo { public static void main(String[] args) { //打印一個4*12的長方形 for (int a=0;a<4;a++)//控制長方形的寬爲4 { Sy

Fuuqiu 2020-07-04 01:00:58

1. SpringSecurity 快速入門與簡單使用

Spring 官網對 SpringSecurity 的簡介 Spring Security is a powerful and highly customizable authentication and access-cont

Earth_Programer 2020-07-03 16:58:10

Spring Security自定義登錄驗證(不使用userDetailsService)

一:功能說明 實現了自定義登錄驗證(AuthenticationProvider)   二:具體代碼 1.自定義AuthenticationProvider /** * @author LEI * Created by LEI on

云海梦尘 2020-07-03 16:11:01

BCrypt初體驗之加密與驗證

版權聲明:本文爲 小異常 原創文章,非商用自由轉載-保持署名-註明出處,謝謝! 本文網址:https://blog.csdn.net/sun8112133/article/details/107057062 BCryp

小异常 2020-07-02 20:33:30

關於There is no PasswordEncoder mapped for the id null的報錯

版權聲明:本文爲 小異常 原創文章,非商用自由轉載-保持署名-註明出處,謝謝! 本文網址:https://blog.csdn.net/sun8112133/article/details/107056906 最近在做 Sp

小异常 2020-07-02 20:33:29